The Ransomware Casier (which is in my opinion the grand son of Goldenbaks ) has new clothes and it looks like the way affiliates are managed has changed too.
Malekal pointed me a new evolution in the french design of Ransom Casier.
Take a look at his post, it's showing one affiliate Panel that he was able to open. You'll see thats it's really different from the panel shown by Xylitol when he infiltrated the "Gangstaservice Winlock Affiliate"
In the past there was one server for all affiliates (as show by server folder tree + http calls) and illustrated by Xylitol. Now it looks like there is one server (or at least one vhost) by affiliate and a failover to master server (btw both seems not using same GeoIp Database). If you are interested in knowing more about that, you know how to contact me.
They are now using the same design (or should we say, the services of the same designer) as Lyposit.
Both do not have design for Italy and Greece.
Lyposit was trying to target Ireland (but failed) . It was targeting people with Irish keyboard with an Iranian design.
It was a mistake ( misunderstanding ?? between designer and creator of the Ransom Affiliate - ir != ie).
Casier is successfully targeting Ireland :
but ...it has also a design for Iran (was not able to retrieve it, almost surely the same meaningless design that Lyposit was showing )
There is also a US design that was not available for Lyposit. It's obviously a different job.
![]()
Malekal pointed me a new evolution in the french design of Ransom Casier.
 |
| Screenshot of a part of Malekal's Post |
Take a look at his post, it's showing one affiliate Panel that he was able to open. You'll see thats it's really different from the panel shown by Xylitol when he infiltrated the "Gangstaservice Winlock Affiliate"
In the past there was one server for all affiliates (as show by server folder tree + http calls) and illustrated by Xylitol. Now it looks like there is one server (or at least one vhost) by affiliate and a failover to master server (btw both seems not using same GeoIp Database). If you are interested in knowing more about that, you know how to contact me.
They are now using the same design (or should we say, the services of the same designer) as Lyposit.
 |
| Lyposit Designs (see Botnets.fr Lyposit page) |
 |
| Casier Designs (see Botnets.fr Casier page) |
Lyposit was trying to target Ireland (but failed) . It was targeting people with Irish keyboard with an Iranian design.
.png) |
| Lyposit IR Design |
It was a mistake ( misunderstanding ?? between designer and creator of the Ransom Affiliate - ir != ie).
Casier is successfully targeting Ireland :
 |
| IE Design for Casier (One more (the?) Gaelic Ransomware) |
 |
| Available Design for Casier |
 |
| Casier US Design |
Some Links :
Ransomware « Trojan.Casier » Panel - Malekal Morte - 2012-09-18
Gangstaservice Winlock Affiliate - Xylitol - 2012-08-01
Landings specific to Ireland (Landings_IE on Botnets.fr)
Lyposit page on botnets.fr
Casier page on botnets.fr
Goldenbaks page on botnets.fr (yes in my opinion it's the past of Casier)
